Coordinated Response
Services and tools for incident response management

Standards for Incident Handling are like English

The English language is spoken with different accents and different vocabularies while still saying the same thing.

The standards for Incident Handling use different vocabularies, but they also say the same thing.

The table below compares the language used by 4 authorities to describe the incident handling phases. The authorities employ 4, 5, or 6 phases.

Phase NIST SP 800-61 ISO 27035 SANS ISACA
Before Prepare Planning & Preparation Preparation Preparation
During Detect & Analyze Identify & Report Identification Detect, Triage, & Investigation
Contain, Eradicate, & Recover Assess Containment Containment, Tracking, Analysis, & Recover
Respond Eradication
Recovery
After Review Incident Learn Lessons Learned Post Incident Assessment
Incident Closure
Total 4 Phases 5 Phases 6 Phases 5 Phases

National Institute of Standards and Technology

NIST SP 800-61 Rev 2 Computer Security Incident Handling Guide, 2012.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

International Standards Organization

ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management, 2011.
http://www.iso.org/iso/catalogue_detail?csnumber=44379

SANS Institute

The Incident Handler’s Handbook, 2011.
http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

ISACA

Incident Management and Response, 2012.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Incident-Management-and-Response.aspx

Coordinated Response

The Response Management Framework aligns well with all of these approaches. Let us apply the framework in a response plan review.